-
-
Notifications
You must be signed in to change notification settings - Fork 520
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(metrics): update macros after update #2062
base: main
Are you sure you want to change the base?
Conversation
based off #2061 |
The cross compile and nix pipelines failed with openssl, thus it has nothing to do with this change. These 2 pipelines don't seem to be very stable. I've seen them fail on several occasions for other PRs as well. |
They tend to fail for an actual reason related to the code though, both are sensitive to dependency changes. Given the nature of this PR, it is likely related. |
Cargo.lock
Outdated
[[package]] | ||
name = "openssl" | ||
version = "0.10.64" | ||
source = "registry+https://github.com/rust-lang/crates.io-index" | ||
checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f" | ||
dependencies = [ | ||
"bitflags 2.4.2", | ||
"cfg-if", | ||
"foreign-types", | ||
"libc", | ||
"once_cell", | ||
"openssl-macros", | ||
"openssl-sys", | ||
] | ||
|
||
[[package]] | ||
name = "openssl-macros" | ||
version = "0.1.1" | ||
source = "registry+https://github.com/rust-lang/crates.io-index" | ||
checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" | ||
dependencies = [ | ||
"proc-macro2", | ||
"quote", | ||
"syn 2.0.52", | ||
] | ||
|
||
[[package]] | ||
name = "openssl-probe" | ||
version = "0.1.5" | ||
source = "registry+https://github.com/rust-lang/crates.io-index" | ||
checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" | ||
|
||
[[package]] | ||
name = "openssl-sys" | ||
version = "0.9.102" | ||
source = "registry+https://github.com/rust-lang/crates.io-index" | ||
checksum = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2" | ||
dependencies = [ | ||
"cc", | ||
"libc", | ||
"pkg-config", | ||
"vcpkg", | ||
] | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here's the cause of the issue
(re-posted for clarity)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, ok. But what can we do? @LecrisUT only bumped the metrics version.
I am just wondering, because I am not sure I understand. At one point the metrics crate in the current version might not be supported anymore. Or introduces a security issue in the future.
I am not saying it has to be updated, but I am at a loss when it comes to updating dependencies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can
- Help upstream metrics introduce a feature so it does not require openssl
- Fork upstream
- Hold off on updating metrics because the current version is currently supported, and does not have security issues, perf issues, or any other reason to put the effort into (1) or (2).
This exact issue illustrates my concern with the dependencies discussion in #2061. It's a really nice ideal, but does not seem practical given limited resources.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it metrics
or metrics-exporter-prometheus
, and what's the chain of dependencies (and features?) that affects this? I think for the cross-compilation, it's just an issue on the environment side to use appropriate packages for cross-compilation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the explanation. I think option 2 is not sustainable, since that might come up for other crates as well. So I think option 3 is the most feasible right now. Maybe I can find the time to look into that upstream issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, I am ok with option 3 as long as we keep this PR open to track any subsequent necessary changes so that I can port them over.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@LecrisUT it's metrics-exporter-prometheus
it's just an issue on the environment side to use appropriate packages for cross-compilation
Not quite. NixOS failed because that env did not have openssl installed, same for solaris. The others happened to pass. I'm not ok with having a dependency on both rustls and openssl, nor do I want to switch to openssl just to update this crate.
I can port them over.
Do you mean that in Fedora Atuin will require openssl?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not ok with having a dependency on both rustls and openssl, nor do I want to switch to openssl just to update this crate.
Sure, option 3 is ok on my side. Just trying to get a grip of the issue, to know what to track.
Do you mean that in Fedora Atuin will require openssl?
It's rather hyper-tls
is pre-built with all necessary dependencies. I can ask the main rust packagers if you think there are issues that you want to avoid. Looking at the implementation of Fedora's hyper-tls
it seems it is dropping rustls
?
# Manually created patch for downstream crate metadata changes
# * drop feature for using a vendored TLS backend
Patch: hyper-tls-fix-metadata.diff
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm more thinking whether Atuin on Fedora is linked with openssl, while Atuin elsewhere is not.
Do I then need to consider that some Atuin users will be affected in the case of a new CVE or other such issue?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do I then need to consider that some Atuin users will be affected in the case of a new CVE or other such issue?
This we are always tracking, and when a dependency has any changes, the whole dependency tree upwards is rebuilt.
There's an open issue here; metrics-rs/metrics#418 We already use rustls, so I'd rather not also require openssl. There's no strong need to update the metrics crate right now |
Ah, I see. I saw that only after I posted my previous reply. I guess this means |
Anyway, if you want to close this, you should mark or tag it somehow. The changes for the metrics update are valid, so we can come back to it whenever you want to update metrics. |
Happy to merge this once metrics-rs/metrics#420 or similar are in |
Makes perfect sense. see also #2062 (comment) |
First, let me check that these changes pass the tests on Fedora, although I think these are disabled by: %check
# * These tests are skipped because they required a Postgres database to be
# running, which is not possible in the build environment.
%cargo_test -- -- --skip sync --skip change_password --skip multi_user_test --skip registration |
Don't worry about it. This will be squashed anyway. Also, even if it weren't the case, a revert would be perfectly fine. Additionally I still have to update the cargo.toml as soon as my PR is merged in the metrics repo and a new release is cut. Then the lock file will also be updated... All good. |
The maintainer of metrics hssn't even replied to my PR yet. I guess this might take a while... |
FYI: my PR has been merged. waiting for a new metrics-exporter-prometheus release... |
@ellie I created a PR to switch to rustls for the prometheus-exporter and a new release has been cut today. Thus no more openssl. The cross-compile has an issue, but I am not able to fix it. |
Thanks! It looks like rustls switched from |
Unfortunately I don't think this is something I can fix. I think that there are feature flags in rustls, but unless other crates that use rustls make them available, there is nothing someone who uses such a crate can do. So what is the solution to this? Once more it seems we are in a place called dependency hell. Btw, it would also be interesting to know why bindgen-cli cannot be installed on illumos. I suspect the |
Checks